Vulnerability Report on Sharutils 4.15.2

[nafiez]

Hi,

Below are the details of the issue we found during fuzzing "unshar". 
Was trying to compile with ASAN however doesn't work at all (could be
missing something that's why not worked). However, I did this manually
verified. Attached is the fuzzed file (password: abc123).

address@hidden:~/sharutils-4.15.2/src/crashed_unshar$ gdb -q ../unshar
Reading symbols from ../unshar...done.
(gdb) r 2.fuzz
Starting program: /home/john/sharutils-4.15.2/src/unshar 2.fuzz
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
2.fuzz:
Segmentation fault

Program received signal SIGPIPE, Broken pipe.
0xb7fd9ce5 in __kernel_vsyscall ()
(gdb) bt
#0  0xb7fd9ce5 in __kernel_vsyscall ()
#1  0xb797bb93 in __write_nocancel () at
../sysdeps/unix/syscall-template.S:84
#2  0xb790f0b1 in _IO_new_file_write (f=0xb4103b50, data=0xb6100100,
n=4096) at fileops.c:1263
#3  0xb790e3e4 in new_do_write (address@hidden,
address@hidden "", address@hidden) at fileops.c:518
#4  0xb790f775 in _IO_new_file_xsputn (f=0xb4103b50, data=0xb6100100,
n=4096) at fileops.c:1342
#5  0xb790e01e in __GI_fwrite_unlocked (buf=0xb6100100, size=1,
count=4096, fp=0xb4103b50) at iofwrite_u.c:43
#6  0x0804c2df in unshar_file (name=0xbffff1e4 "2.fuzz",
file=0xb4903bc0) at unshar.c:396
#7  0x0804a2f5 in validate_fname (fname=0xbffff1e4 "2.fuzz") at
unshar-opts.c:604
#8  main (argc=2, argv=0xbfffefb4) at unshar-opts.c:639

Further verification of the source code, we found the issue was on the
line unshar.c:396 which is broken when performed write. Issue seems to
be more on memory corruption.

Thanks,

Nafiez

SIGSEGV_STACK.zip
Description: Zip compressed data